Morrisons vicariously liable for staff data breach
In Various Claimants and WM Morrisons Supermarket PLC, Andrew Skelton, a former internal auditor, copied payroll data relating to 99,998 employees to a USB stick and then posted the personal details online. The data consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers and bank sort codes. 5,518 Morrisons’ employees whose data was disclosed, claimed compensation for misuse of private information and breach of confidence. The High Court found that Skelton’s role was to handle the payroll data, receive it, store it for a while, transfer it to others and then delete it. This meant that there was a sufficiently close connection between Skelton’s job and his wrongful conduct to make it right for Morrisons to be held vicariously liable. Although Morrisons were one target of his actions, they should be liable vicariously for the wrongs Skelton did to the claimants. Morrisons have been granted the right to appeal.